Sourcefire Launches Incident Response Services

With Incident Response Professional Services, Sourcefire will assist customers to clearly identify an event, evaluate the risk, and determine the most effective approach to remediate the issue, Sourcefire said Jan. 14. The Sourcefire Incident Response Team will help customers eliminate uncertainty and make educated decisions for better protection, the company said.

The team brings incident response capabilities to the organization, such as understanding whether data has been compromised or exfiltrated, studying the scope of the attack to determine if it is unique to the customer or part of a larger pattern, and analyzing whether the threat target the organization again, Oliver Friedrichs, senior vice-president of Sourcefire's Cloud Technology group, told SecurityWeek. Incident response generally has four different stages, but customers have the flexibility to have Sourcefire's team in place for only the areas they need help with, Friedrichs said.

“Advanced malware protection is not just about having the right technologies in place but also the right response when the technologies identify an event,” Jonathan Goldberger, vice president of professional services for Sourcefire, said in a statement.

The incident response team will be offering vendor agnostic suggestions when it is appropriate for the customer, Friedrichs said. The customer "many not be a Sourcefire IPS customer, but they look to us for our expertise," he said.

The first stage of incident response is evaluation—doing the "heavy lifting," Friedrichs said. The team will document what happened and understand what has happened using existing security technologies in place. The investigation is typically the largest undertaking because it is time-consuming, he said. The team can easily be vendor agnostic at this stage because the investigation will rely on whatever tools—automated and manual—the organization has along with intelligent data the organization has captured, Friedrichs explained.

The second stage is developing countermeasures. Once the threat has been understood, it is time for the team to figure out how to stop it, Friedrichs. If the attack is still ongoing, then the team will figure out how to stop it. In this stage, the team may develop new signatures or rules and recommend the customer invest in new Sourcefire technologies, or create signatures that can be used for existing deployed non-Sourcefire products.

"We can help make rules for other products, but it will depend on what they [customers] actually have, and whether we know how to work with it," Friedrichs said. The third stage is deploying the countermeasures, tuning and adjusting the rules as necessary. And finally the fourth stage is validating the countermeasure that had been deployed. The team will make sure the new rules and signatures are working and that threats are being blocked, Friedrichs said.

It is possible for the customer to go with another vendor for deployment and validation after Sourcefire develops the countermeasures, Friedrichs said. In short, the customer always has the flexibility to choose when to bring in Sourcefire's professional services team and when to stick with internal teams or other vendors.

“Our incident response service helps our customers bridge the knowledge and experience gap so that they can take a more proactive stance to identifying, mitigating and eliminating risks using the intelligence from FireAMP and advanced malware protection for FirePOWER,” Goldberger said in a statement.

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.